It has been observed that clients may not respond to remote decryption commands issued by Server Commands or GPO if no user is logged onto the machine at the time of the policy application. Once a user logs into Windows the decryption process begins and completes normally however.

Resolution:

To workaround this behavior an executable has been added to the client installers that will load to:

This .exe can be run remotely to force the decryption process to start without the requirement for user logon. This executable must be run after application of the policy meaning that the GPO must be applied or the machine must check-in once to receive a Native Policy. One example of a tool that could be used to execute this is Microsoft's "psexec", described at the location below: